Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Users Urged To Update After Security Breach

Posted by timothy on from the points-of-failure dept.

An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."

10 of 161 comments (clear)

  1. From: Anonymous Coward by Anonymous Coward · · Score: 5, Interesting

    Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?

    I think it's the best form of joke... one with an epic amount of unexpected expectedness.

  2. Tor weaknesses by girlintraining · · Score: 4, Interesting

    The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Tor weaknesses by X0563511 · · Score: 2, Interesting

      The fun begins when they start noting illegal commands and retaliating. Fun.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  3. US Intelligence almost certainly monitors TOR by presidenteloco · · Score: 3, Interesting

    I mean. That's where I'd go fishing for people trying to communicate secrets,
    if I was them.

    Now I don't want to spread paranoia, but
    did you know that the patent on Onion Routing was filed by the US Department of the Navy?
    Look it up.

    Remember kiddies. Always use your own encryption layer.

    --

    Where are we going and why are we in a handbasket?
    1. Re:US Intelligence almost certainly monitors TOR by Mr.Bananas · · Score: 2, Interesting

      Have a read at this piece of work: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 While hiding in plain sight has its value, not being able to hide anything can have plenty of harm to an innocent person, especially if they have no control of how their data is used or interpreted.

  4. New Tor attacks and anonimity attacks all the time by Anonymous Coward · · Score: 1, Interesting

    Attacking Tor at the Application Layer

    http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf

    https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Video%20and%20Slides.m4v

    https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Slides.m4v

    https://media.defcon.org/dc-17/audio/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Audio.m4b

    Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
    Leakage:

    http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-barisani-bianco-sniff_keystrokes.pdf

    http://www.defcon.org/images/defcon-17/dc-17-presentations/Andrea_Barisani-Daniele_%20Bianco/defcon-17-barisani-bianco-sniff_keystrokes-wp.pdf

    https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Andrea%20Barisani%20and%20Daniele%20Bianco%20-%20Sniffing%20Keystrockes%20with%20Lasers%20and%20Voltmeters%20-%20Video%20and%20Slides.m4v

    Router Exploitation

    http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf

    https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Video%20and%20Slides.m4v

    https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Slides.m4v

    Unmasking You

    http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-abraham-hansen-unmasking_you.pdf

    Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data

    http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf

    Down the R

  5. Re:first by JWSmythe · · Score: 2, Interesting

        Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard. If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.

        I've tried Slashdot. It's been a matter of switching exit points until you find one that isn't forbidden. Google is really on top of it though. I suspect they may have a tie-in with the network map, so they know the exit points as they come and go.

    --
    Serious? Seriousness is well above my pay grade.
  6. Re:Sooo...... by trytoguess · · Score: 2, Interesting

    People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance.

    Hmm... then how about homosexuality? It's not hard to find stories of people who denied attraction to the same sex their whole life in order to avoid being socially stigmatized.

    As for the effects of pornography, does masturbating calm your sexual urges, or does it inflame them?

  7. Re:Further Details From Roger by wall0159 · · Score: 2, Interesting

    "A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up
    in their new locations"

    I read this to mean that tor are hosting git and svn on the new, anonymously-donated servers. I expect that if they were hardware-compromised, that could be used, in turn, to compromise the source-repositories. Please correct me if I'm wrong tho...

    Having said all that - I'd also expect a project like tor to be pretty careful with security! Also, it's quite possible that although the servers were anonymously-donated, they may still have been sourced by the tor project - it's hard to imagine a guy in a trench-coat and dark glasses knocking on their door, handing them a server before fading into the shadows, and them welcoming it with open arms!

  8. What was the cause of the breach? by master_p · · Score: 2, Interesting

    The links are not very informative about what allowed the breach to happen. Was a security model vulnerability? man-in-the-middle attack? buffer overflow?